Natxo Asenjo wrote:
On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <rcrit...@redhat.com
The 3 certs you list are the ones that are renewed via the IPA API
(as opposed to the subsystem certs renewed directly by dogtag). I
think the failures are all related. I had someone else report the
CSR decoding failure and he just restarted IPA and that fixes things
for him though it was a rather unsatisfying fix.
What I'd do is this. Assuming each step works, move onto the next.
1. ipa cert-show 1
The serial # picked more or less at random, we're testing
connectivity and that the CA is up and operational.
2. I assume that getcert list | grep expire shows all certs
currently valid? The IPA service certs expire in a month, how about
the CA subsystem certs?
3. Is this the same server having problems talking to the CA due to
the other NSS errors? If so what I'd do is restart httpd then
immediately use ipa-getcert to resubmit the requests to try to get
into that few minute window.
If this is the same box you already have debugging enabled so seeing
what that shows might be helpful.
yes, all certs are valid (see attachment getcert.txt).
So I restarted httpd, I could execute ipa cert-show 1 and get an answer,
inmediately after I run
$ sudo ipa-getcert resubmit -i 20121107212513
Resubmitting "20121107212513" to "IPA".
and now the status is the one you see in the attached getcert.txt file.
The server failed request, will retry.
I do not know if it's important, but I saw that the usercertificate
attribute of the pki user admin was expired.1
I attach the error_log of httpd as well.
Ok, how about we work around the problem.
Since it is failing on the revocation what you might try is removing the
userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.
I think this will work:
$ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
<note this down for later>
$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
If this doesn't work you can use ldapmodify to delete the
This will remove the certificate value so there is nothing to revoke and
a new cert will be saved (hopefully).
Now try to resubmit the request via certmonger.
It if works then you can run ipa cert-revooke <old serial #>
It isn't a great answer long-term because it is really just working
around the problem but it should get the certs renewed.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project